Privacy: Statutory Protections

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search

With the passage of the USA PATRIOT Act, the Homeland Security Act and other laws focused on national security, Congress has been active in changing the legal landscape for access to real-time and stored communications. Despite these amendments, detailed below, the legal regime for obtaining wiretaps and stored communications remains ambiguous.

Federal Statutes

Electronic Communications Privacy Act of 1986

The Electronic Communications Privacy Act of 1986 (“ECPA”), Pub. L. No. 99-508, 100 Stat. 1848 (1986), comprised three titles. Title I amended the 1968 federal wiretap statute to cover electronic communications. Title II of ECPA created a new chapter of the criminal code dealing with access to stored communications and transaction records, commonly known as the “Stored Communications Act” or “SCA.” Title III of the ECPA covers pen registers and trap/trace devices.

Wiretap Act

ECPA, Title I, 18 U.S.C. §§ 2510 et seq. (“Wiretap Act”) makes it unlawful to listen to or observe the contents of a private communication without the permission of at least one party to the communication and regulates real-time electronic surveillance in federal criminal investigations. See main article on Wiretap Act. 18 U.S.C. §§ 2510-2522 was first passed as Title III of the Omnibus Crime Control and Safe Streets Act of 1968 and is generally known as "Title III".

Stored Communications Act

ECPA Title II, 18 U.S.C. §§ 2701 et seq. (“Stored Communications Act”) generally prohibits the disclosure of the content of electronically stored communications. The Act does not prohibit disclosure of user information to non-government entities. See main article on Stored Communications Act.

The Stored Communications Act also strictly limits the information that an electronic communication service may provide to the government. A government entity generally must provide a subpoena, warrant or court order to obtain information about a user that is stored by the communication service provider. The USA Patriot Act, see below, amended these provisions to permit disclosure of such information to the government if the service provider has a good faith belief that there is an imminent danger of death or serious physical injury.

Pen/Trap Statute

The Pen Registers and Trap and Trace Devices chapter of Title 18 ("the Pen/Trap statute"), 18 U.S.C. §§ 3121-3127 governs pen registers and trap and trace devices, empowering a court to issue an order “authorizing the installation and use of a pen register or trap and trace device” upon application and proper certification by the government. A “pen register” is a device that records the numbers dialed for outgoing calls made from the target phone. A trap and trace device captures the numbers of calls made to the target phone.

The Pen/Trap statute expressly prohibits pen/trap devices from collecting communications content. The legislative history clarifies that "[t]he term 'pen register' means a device which records or decodes electronic or other impulses which identify the numbers dialed or otherwise transmitted for the purpose of routing telephone calls, with respect to wire communications, on the phone line to which such device is attached. The term does not include the contents of a communications, rather it records the numbers dialed." H.R. Rep. No. 99-647, at 78 (1986); see also People v. Bialostok, 610 N.E.2d 374, 378 (N.Y. Ct. App. 1993) (devices that can acquire communications contents cannot be authorized under Pen/Trap Statute).

Computer Fraud and Abuse Act

The Computer Fraud and Abuse Act (CFAA), which provides a cause of action against one who, inter alia, “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer if the conduct involved an interstate or foreign communication.” 18 U.S.C. § 1030(a)(2)(C), (g). The CFAA targets attacks on computer systems that cause damage or destruction to electronic data. See Int'l Airport Centers, L.L.C. v. Citrin, 440 F.3d 418, 420 (7th Cir. 2006).

CFAA criminalizes intruders who trespass on computers and computer networks. Int’l Ass’n of Machinists and Aerospace Workers v. Werner-Masuda, 390 F. Supp. 2d 479, 495-96 (D.Md 2005) (citing S. Rep. No. 99-432, at 4 (1986), reprinted in 1986 U.S.C.C.A.N. 2479, 2482 (explaining that the CFAA “is a consensus bill aimed at deterring and punishing certain ‘high-tech’ crimes”)) Although the CFAA is primarily a criminal statute, it also provides a private cause of action if a violation causes loss or damage, as those terms are defined in the statute. See 18 U.S.C. § 1030(g).

Section 1030(a)(2) targets “the unauthorized procurement or alteration of information, not its misuse or misappropriation.” Shamrock Foods v. Gast, 535 F. Supp. 2d 962, 965 (D. Ariz. 2008) (citing Brett Senior & Assocs., P.C. v. Fitzgerald, 2007 WL 2043377 (E.D. Pa. July 13, 2007)).

To make out a claim under 18 U.S.C. § 1030(a)(4), Plaintiff must show that Defendants

  1. knowingly and with intent to defraud
  2. accessed a protected computer
  3. without authorization or exceeding authorized access
  4. obtained anything of value
  5. causing a loss resulting in economic damages aggregating at least $5,000.

18 U.S.C. §§ 1030(a)(4), 1030(a)(5)(B)(i), 1030(g).

USA PATRIOT Act

Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA PATRIOT Act), PL 107-56. Passed in the wake of the 9/11 terrorist attacks, the controversial Act expands the type of information to which law enforcement officials may obtain access and permits service providers to divulge the contents of communications in emergencies.

  1. Section 210 increases the types of information to which law enforcement officials may obtain access by requiring them to meet only the lowest ECPA standard; types of information covered include records of session times and durations, temporary network addresses, and means and source of payments, including credit card and bank account numbers.
  2. Section 212 of the Act permits service providers to voluntarily release the contents of communications if they reasonably believe that “an emergency involving immediate danger of death or serious physical injury to any person requires disclosure of the information without delay.” This provision was further modified by the Homeland Security Act to increase the number of governmental agencies to which service providers may disclose communications and to soften the standard by which communications can be disclosed to a “good faith” belief from a “reasonable belief.”
  3. Section 214 of the Act significantly expands the FBI's electronic surveillance powers under the Foreign Intelligence Surveillance Act (FISA), as well as lowering the standards under which the secret FISA court can authorize the FBI to spy on your phone and Internet communications. In particular, Section 214 makes it easier for the FBI to install "pen registers" and "trap-and-trace devices" (collectively, "pen-traps") in order to monitor the communications of citizens who are not suspected of any terrorism or espionage activities.
  4. Section 215 allows the FBI secretly to order anyone to turn over business records or any other "tangible things," so long as the FBI tells the secret Foreign Intelligence Surveillance Act (FISA) court that the information sought is "for an authorized investigation...to protect against international terrorism or clandestine intelligence activities." These demands for records come with a "gag order" prohibiting the recipient from telling anyone, ever, that they received a Section 215 order.
  5. Section 217 permits service providers to “invite” law enforcement to assist in tracking and intercepting a computer trespasser’s communications.

EFF analysis of the provisions of the USA PATRIOT Act.

Homeland Security Act

The Homeland Security Act of 2002, PL 107-296. Provisions of Section 896 and Section 225 (“The Cyber Security Enhancement Act“) of the Homeland Security Act increase prison time and penalties for violations of the CFAA, prohibit Internet advertising of illegal surveillance devices, and allow law enforcement agencies to make pen register/trap and trace installations without a court order in the case of “national security interests” or an attack on a protected computer as defined by the CFAA.

The Homeland Security Act Section 225 expanded the power of PATRIOT Section 212 by 1) lowering the relevant standard from "reasonable belief" of a life-threatening emergency to a "good faith belief," 2) allowing communications providers to use the emergency exception to disclose your data to any government entity, not just law enforcement, and 3) dropping the requirement that the threat to life or limb be immediate.

Other Federal Statutes

The Cyber Security Enhancement Act

This act allows service providers to disclose the contents of communications to “Federal, State, or local government entities” in the event that the provider has a “good faith” belief that “an emergency involving immediate danger of death or serious physical injury to any person requires disclosure of the information without delay.” These changes effectively expanded the scope of disclosures possible under the law and lowered the standard by which such disclosures could take place.

The 21st Century Department of Justice Appropriation Authorization Act

Under this Act, law enforcement agents are not required to be present during the execution of a warrant made pursuant to the ECPA’s requirements. Congress’s action effectively reversed United States v. Bach, 2001 U.S. Dist. LEXIS 22109 (D. Minn. 2001), a case which required the presence of a government law enforcement agent to exercise a warrant. The district court opinion has also been reversed and remanded upon review by the Eighth Circuit in United States v. Bach, 310 F.3d 1063 (8th Cir. 2002).

The Cable Act

Many cable companies are now providing Internet services. The Cable Communications Policy Act ("the Cable Act"), 47 U.S.C. § 551 restricts when the government can obtain "personally identifiable information concerning a cable subscriber," generally requiring them to overcome a heavy burden of proof at an in-court adversary proceeding, as specified in 47 U.S.C. § 551(h). After the USA PATRIOT Act, cable operators may disclose subscriber information to the government pursuant to ECPA, Title III, and the Pen/Trap statute, except for "records revealing cable subscriber selection of video programming." 47 U.S.C. § 551(c)(2)(D).

The Cable Act, 47 U.S.C. § 551(c)(2)(B), also requires cable companies to provide notice to subscribers before disclosure of "personally identifiable" customer information in response to a civil subpoena. Cable providers are also required to " destroy personally identifiable information if the information is no longer necessary for the purpose for which it was collected and there are no pending requests or orders for access to such information under subsection (d) of this section or pursuant to a court order.

Computer Matching & Privacy Protection Act

The Computer Matching & Privacy Protection Act of 1988 (and its amendments in 1990), 5 U.S. Code 552a (a)(8)-(13), (3)(12), (o), (p), (q), (r), & (u), sets requirements that federal agencies must follow when matching information on individuals with information held by other federal, state or local agencies.

The Privacy Act

The Privacy Act regulates the “‘collection, maintenance, use, and dissemination of information’” about individuals by federal agencies. Doe v. Chao, 540 U.S. 614, 618 (2004) (quoting Privacy Act of 1974 § 2(a)(5), 88 Stat. 1896). It “authorizes civil suits by individuals . . . whose Privacy Act rights are infringed,” Sussman v. U.S. Marshals Serv., 494 F.3d 1106, 1123 (D.C. Cir. 2007), and provides for criminal penalties against federal officials who willfully disclose a record in violation of the Act, 5 U.S.C. § 552a(i)(1).

Video Privacy Protection Act

The Video Privacy Protection Act of 1988, 18 U.S.C. § 2710, "prohibits video service providers from disclosing personally identifiable information except in certain, limited circumstances. As a general rule, personally identifiable information may only be disclosed with the prior written consent of the individual." S. Rep. No. 100-599, 100th Cong., 2d Sess, 1988 U.S.C.C.A.N. 4342-1. "The impetus for enacting the measure arose as a result of Judge Robert Bork's 1987 Supreme Court nomination battle, during which a Washington, D.C. newspaper obtained a list of 146 video tapes the Bork family had previously rented from their neighborhood store." Dirkes v. Borough of Runnemede, 936 F.Supp. 235 (D.N.J. 1996).

The VPPA protects “personally identifiable information,” which is defined to include “information which identifies a person as having requested or obtained specific video materials or services.” § 2710(a)(3). "Unlike the other definitions in [the VPPA], paragraph (a)(3) uses the word 'includes' to establish a minimum, but not exclusive, definition of personally identifiable information." S. Rep. No. 100-599. The Act applies to "video tape service providers,” meaning "any person, engaged in the business ... of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials." § 2710(a)(4).

Pursuant to the VPPA, personally identifying information may not be disclosed:

in a civil proceeding [except] upon a showing of compelling need for the information that cannot be accommodated by any other means, if—

(i) the consumer is given reasonable notice, by the person seeking the disclosure, of the court proceeding relevant to the issuance of the court order; and

(ii) the consumer is afforded the opportunity to appear and contest the claim of the person seeking the disclosure.

§ 2710(b)(2)(F). "This requirement for disclosure pursuant to court order in civil proceedings supersedes federal and state rules of discovery and would prevent disclosure pursuant to a court order in discovery proceedings unless that order complied with this subsection of the Act." S.Rep. 100-599.

Personally identifying information may only be disclosed to a "law enforcement agency pursuant to a warrant issued under the Federal Rules of Criminal Procedure, an equivalent State warrant, a grand jury subpoena, or a court order," and "only with prior notice to the consumer and only if the law enforcement agency shows that there is probable cause to believe that the records or other information sought are relevant to a legitimate law enforcement inquiry." § 2710(b)(2)(C) and (b)(3). Violations can be enforced by a statutory cause of action. § 2710(c).

The VPPA also requires the service provider to "destroy personally identifiable information as soon as practicable, but no later than one year from the date the information is no longer necessary for the purpose for which it was collected." § 2710(e). "The purpose of this provision is to reduce the chances that an individual's privacy will be invaded, by requiring the destruction of information in an expeditious fashion, appropriate to the circum- stances and to the policies protected by this Act." S.Rep. 100-599. In interpreting the VPPA:

[T]he phrase the 'purpose for which it was collected' must be narrowly construed. It may include only activities that are for the exclusive use of marketing goods and services to the consumer. It may not, however, include activities that violate the intent of the statute, which is to protect personally identifiable information from disclosure.

Id.

Scope of Act

The VPPA refers to “prerecorded video cassette tapes or similar audio visual materials.” While video tapes have sharply declined in popularity, the legislative history shows that "similar audio visual materials" is broad and include "laser disks, open-reel movies, or CDI technology[1]." "[I]n construing the scope of the Act, this Court must strive to protect this aspect of an individual's right to privacy in the face of technological innovations that threaten this fundamental right." Dirkes, 936 F.Supp. at 239. The intent to apply the VPPA to modern technology is illustrated by the comments of Senator Leahy in the Senate Report:

In an era of interactive television cables, the growth of computer checking and check-out counters, of security systems and telephones, all lodged together in computers, it would be relatively easy at some point to give a profile of a person and tell what they buy in a store, what kind of food they like, what sort of television programs they watch, who are some of the people they telephone ...

S.Rep. No. 100-599. at 6 (1988).

In Bamon Corp. v. City of Dayton, 730 F.Supp. 80 (S.D.Ohio 1990), the court found that the VPPA did not preempt a statute that required that every video booth in an adult video watching facility not be obscured by any curtain, door, or other enclosure. The Court held that the VPPA "was intended to prohibit, except in limited circumstances, the disclosure to public or private entities of records (or information derived from those records) kept by video tape service providers and linking the names of customers with the subject matter of the videotaped materials they have rented or purchased." (emphasis original).

Persons Liable

Dirkes found that any person can be liable under the VPPA, because the statute states that a suit can be based upon an act of “a person” rather than an act of “a VTSP.” Dirkes, 936 F.Supp. at 240. See § 2710(c) ("Any person aggrieved by any act of a person in violation of this section may bring a civil action in a United States district court.) See also Camfield v. City of Oklahoma City, 248 F.3d 1214, 1217-1218 (10th Cir. 2001) (plaintiff obtained statutory damages against Oklahoma City government and police for obtaining video records in violation of the VPPA).

However, Daniel v. Cantrell, 375 F.3d 377 (6th Cir. 2004) disagreed, holding that "only a VTSP can be in violation of section 2710(b)." Daniel at 383, citing § 2710(b)(1) (“A video tape service provider who knowingly discloses ... personally identifiable information ... shall be liable....”).

State Statutes

Title III does not preempt state statutes that are more protective of privacy. “Congress intended that the states be allowed to enact more restrictive laws designed to protect the right of privacy.” People v. Conklin. 12 Cal.3d 259, 271 (1974); see also Roberts v. Americable Intern. Inc., 883 F.Supp. 499, 503, fn. 6 (E.D.Cal. 1995); United States v. Curreri, 388 F.Supp. 607, 613 (D.Md. 1974); Bishop v. State, 526 S.E.2d 917, 920 (Ga.Ct.App. 1999) ; People v. Pascarella, 415 N.E.2d 1285, 1287 (Ill.App.Ct. 1981).

Anti-Spyware

  1. The Consumer Protection Against Computer Spyware Act, Cal. Bus. & Prof. Code § 22947 et seq., prohibits an unauthorized person from knowingly installing or providing software that performs certain functions, such as taking control of the computer or collecting personally identifiable information, on or to another user's computer located in California.
  2. Georgia Computer Security Act of 2005 [2] prohibits an unauthorized person from knowingly installing or providing software that performs certain functions, such as taking control of the computer or collecting personally identifiable information, on or to another user's computer located in Georgia.
  3. Washington, http://www.leg.wa.gov/pub/billinfo/2005-06/Htm/Bills/House%20Passed%20Legislature/1012-S.PL.htm

Communincations Privacy

  • Cal. Penal Code § 630-637.9 prohibits electronic eavesdropping on or recording of private communications. See generally Flanagan v. Flanagan, 27 Cal.4th 766, 772-777 (2002); Bast, What’s Bugging You? Inconsistencies and Irrationalities of the Law of Eavesdropping, 47 DePaul L.Rev. 837, 870 (1998). Other states [3]/
  • Some states requires employers to give notice to employees prior to monitoring their email. See Delaware Code § 19-7-705, General Statutes of Connecticut § 31-48d.
  • State hacking laws [4]

    General Privacy

    1. The Information Practices Act of 1977, Cal. Civil Code § 1798 et seq., limits the collection, management and dissemination of personal information by state agencies.
    2. Cal. Civil Code § 1798.81.5 - Regulates the security of personal information (defined as name plus SSN, driver’s license/state ID, financial account number) collected by certain businesses.
    3. Cal. Civil Code §§ 1798.80 and 1798.84 - Regulates the destruction of records with personal information.

    Privacy Policies

    1. The California Online Privacy Protection Act of 2003, Cal. Bus. & Prof. Code § 22575 - 22579, requires websites or other online services that collect personally identifiable information from California consumers to post a conspicuous privacy policy. The text of this law, as well as the legislative counsel's digest and the Legislature's findings and declarations, can be found at http://www.leginfo.ca.gov/pub/bill/asm/ab_0051-0100/ab_68_bill_20031012_chaptered.pdf.
    2. Pennsylvania 2003-04 S.B. 705, Act. 202 [5] and Nebraska Statutes § 87-302 [6] prohibit knowingly making a false or misleading statement in a privacy policy.